SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mirai (Back to overview)

Mirai


There is no description at this point.

References
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2017-03-29ImpervaDima Bekerman
@online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } New Mirai Variant Launches 54 Hour DDoS Attack against US College
Mirai
2017-02-21Kaspersky LabsGReAT
@online{great:20170221:newish:1c13271, author = {GReAT}, title = {{New(ish) Mirai Spreader Poses New Risks}}, date = {2017-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/}, language = {English}, urldate = {2019-12-20} } New(ish) Mirai Spreader Poses New Risks
Mirai
2017-02-10Twitter (@PhysicalDrive0)@PhysicalDrive0
@online{physicaldrive0:20170210:mirai:51440a0, author = {@PhysicalDrive0}, title = {{Tweet on Mirai Windows Version}}, date = {2017-02-10}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/830070569202749440}, language = {English}, urldate = {2019-07-09} } Tweet on Mirai Windows Version
Mirai
Yara Rules
[TLP:WHITE] win_mirai_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mirai_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1ef08 33cf 2b4c241c 0fb6fb c1ee18 8b34b588ba5c00 3334bd88b65c00 }
            // n = 7, score = 100
            //   c1ef08               | shr                 edi, 8
            //   33cf                 | xor                 ecx, edi
            //   2b4c241c             | sub                 ecx, dword ptr [esp + 0x1c]
            //   0fb6fb               | movzx               edi, bl
            //   c1ee18               | shr                 esi, 0x18
            //   8b34b588ba5c00       | mov                 esi, dword ptr [esi*4 + 0x5cba88]
            //   3334bd88b65c00       | xor                 esi, dword ptr [edi*4 + 0x5cb688]

        $sequence_1 = { f7c100100000 7406 81ce00010000 f6c120 7408 81ce00000008 eb0b }
            // n = 7, score = 100
            //   f7c100100000         | test                ecx, 0x1000
            //   7406                 | je                  8
            //   81ce00010000         | or                  esi, 0x100
            //   f6c120               | test                cl, 0x20
            //   7408                 | je                  0xa
            //   81ce00000008         | or                  esi, 0x8000000
            //   eb0b                 | jmp                 0xd

        $sequence_2 = { ff75f0 8b45e0 8b482c e8???????? 8b4df4 64890d00000000 59 }
            // n = 7, score = 100
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b482c               | mov                 ecx, dword ptr [eax + 0x2c]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx

        $sequence_3 = { f3ab 6804040000 6a00 8b857cffffff 05d4080000 50 e8???????? }
            // n = 7, score = 100
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   6804040000           | push                0x404
            //   6a00                 | push                0
            //   8b857cffffff         | mov                 eax, dword ptr [ebp - 0x84]
            //   05d4080000           | add                 eax, 0x8d4
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 8bc8 33cb 81e10000ffff 33d9 33c1 c1cb12 8bc8 }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   33cb                 | xor                 ecx, ebx
            //   81e10000ffff         | and                 ecx, 0xffff0000
            //   33d9                 | xor                 ebx, ecx
            //   33c1                 | xor                 eax, ecx
            //   c1cb12               | ror                 ebx, 0x12
            //   8bc8                 | mov                 ecx, eax

        $sequence_5 = { eb07 8b45fc 40 8945fc 837dfc11 0f8d91000000 8b45fc }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   40                   | inc                 eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837dfc11             | cmp                 dword ptr [ebp - 4], 0x11
            //   0f8d91000000         | jge                 0x97
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_6 = { e8???????? 33db 57 8d4c241c 895c241c 895c2420 895c2424 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx

        $sequence_7 = { eb07 8b45fc 40 8945fc 837dfc11 0f8dc4000000 8b45fc }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   40                   | inc                 eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837dfc11             | cmp                 dword ptr [ebp - 4], 0x11
            //   0f8dc4000000         | jge                 0xca
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_8 = { c3 8d90dfbcffff 83fa5d 7709 0fb70445f69c6400 c3 8d88dfbbffff }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8d90dfbcffff         | lea                 edx, [eax - 0x4321]
            //   83fa5d               | cmp                 edx, 0x5d
            //   7709                 | ja                  0xb
            //   0fb70445f69c6400     | movzx               eax, word ptr [eax*2 + 0x649cf6]
            //   c3                   | ret                 
            //   8d88dfbbffff         | lea                 ecx, [eax - 0x4421]

        $sequence_9 = { ffb51cf3ffff ff15???????? 85c0 0f84860a0000 83a574ecffff00 83a560ecffff00 6a00 }
            // n = 7, score = 100
            //   ffb51cf3ffff         | push                dword ptr [ebp - 0xce4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84860a0000         | je                  0xa8c
            //   83a574ecffff00       | and                 dword ptr [ebp - 0x138c], 0
            //   83a560ecffff00       | and                 dword ptr [ebp - 0x13a0], 0
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 7086080
}
Download all Yara Rules